Summary
AI agents are rapidly moving from assistants to autonomous operators that execute tasks, access data, and interact with systems across the enterprise. This creates a dramatically expanded attack surface.
According to Gartner, non-human identities already outnumber human identities in many organizations by at least 10:1. As agentic systems proliferate, that ratio will only increase.
Organizations that fail to apply Zero Trust to AI agents risk uncontrolled access, credential sprawl, and automated lateral movement across their environments.
The Agentic Threat Landscape
To understand how Zero Trust applies, it is important to first look at the threat landscape these systems introduce.
In an agentic environment, attackers have a wealth of options, including:
- Prompt injection: manipulating the agent’s input to break its context and make it perform unintended actions.
- Model and data poisoning: corrupting the LLM training data, the RAG knowledge base, or the preference and policy data that guides agent behavior.
- Tool and API compromise: tampering with a tool the agent uses, or inserting an attacker in the communication path between agent and tool (including MCP connections).
- Rogue agents: an agent outside the trust boundary interacting with your agents, or a sub-agent that goes off-script after being spawned.
- Credential theft and privilege escalation: stealing non-human identities or exploiting overly broad permissions to move laterally.
These risks are not entirely new, but they scale differently in agentic environments: faster, more automated, and harder to detect.
Why Zero Trust Still Works for AI Agents
Fortunately, the rise of AI does not change the core principles of Zero Trust.
They remain as relevant as ever:
- Never trust, always verify. Every interaction must be authenticated and authorized. No implicit trust, regardless of where the request originates.
- Least privilege. Only the access needed, only for as long as it is needed, and not a moment longer.
- Assume breach. Design your security as if the attacker is already inside your network, your database, your application. This mindset leads directly to continuous monitoring, validation, and the ability to contain damage when (not if) something goes wrong.
The only thing that has changed is the environment these must be applied to.
Just-in-Time, Not Just-in-Case
In traditional environments, users often have standing privileges. Access is granted in advance and remains available.
With AI agents, this model becomes risky.
Agents execute instructions, but they do not apply judgment. They follow statistical patterns, not intent. That makes persistent access a liability.
Just-in-time (JIT) access should therefore be the default:
- Credentials are issued when needed
- Scoped to a specific task
- Revoked immediately after
Dynamic, vault-based credentials replace hardcoded secrets.
This is least privilege applied more rigorously.
The CISA Zero Trust Pillars: Traditional vs. Agentic
Zero Trust was originally defined by Forrester, with CISA later outlining its own model built around five pillars: Identity, Devices, Networks, Applications & Workloads, and Data.
These pillars remain the foundation for agentic AI security, but their implementation changes significantly when autonomous agents become users.
The easiest way to understand the security shift is to map agentic AI against the five Zero Trust pillars defined by CISA.
| CISA PILLAR | TRADITIONAL ZERO TRUST | AGENTIC AI ZERO TRUST |
| Identity | The user is a human. Authenticated with MFA, assigned roles, managed lifecycle (joiner/mover/leaver). One identity per person. Accountable: can be trained, disciplined, terminated. Identity governance is mature. | The “user” is software, a non-human identity (NHI). No consciousness, no accountability. One agent can hold dozens of NHIs and spawn sub-agents needing their own. JIT access should be the default. Credentials must be dynamic and vault-based, never hardcoded. |
| Devices | A laptop, phone, or workstation. Controlled with EDR, compliance-checked (patched, encrypted, not jailbroken). A physical asset you can inventory, manage, and wipe. | No “device” in the classic sense. The equivalent is the runtime environment: a container, VM, serverless function, or cloud instance. Questions shift to: is the runtime trusted, hardened, and attested? The concept becomes “execution environment trust.” |
| Networks | Segment the network, encrypt traffic, prevent lateral movement. Microsegmentation isolates workloads so a breach in one zone does not spread. | Still critical, arguably more so. Agents communicate over APIs, MCP connections, and inter-agent channels. Every connection is a potential lateral path. Agents may also reach outside the boundary to external APIs and third-party services. |
| Applications & Workloads | Secure the application with DevSecOps, vulnerability scanning, WAF, and secure coding. Deploy it, patch it, monitor it. The application does what it is supposed to and nothing more. | The agent IS the application, but also the user, and it uses other applications (tools, APIs, MCP servers). Requires a vetted tool registry. Must also secure the agent supply chain: model, training data, RAG sources, and prompt templates. |
| Data | Classify, encrypt, control access, prevent exfiltration (DLP). Know where sensitive data lives and who can reach it. | All of the above, plus new dimensions: training data integrity, RAG knowledge base tampering, context/preference data security, and agent output control. Data scope doubles: protecting data going in, data in use, and data coming out. |
What Actually Changes Across the Five Pillars
The pillars don’t change – but what they mean does. In an agentic environment, each pillar shifts in ways that break traditional assumptions
Identity – no accountability model
AI agents act as users, but without accountability. They cannot be trained, corrected, or held responsible. One agent can manage multiple non-human identities and even spawn new ones.
Identity shifts from who you are to what you are allowed to do right now.
Devices – no device, only execution
There is no endpoint to trust. The “device” becomes the runtime: a container, VM, or serverless function.
Trust moves from physical assets to execution environment integrity.
Networks – Every Connection Is a Risk
Agents communicate constantly across APIs, tools, and other agents. Each interaction becomes a potential lateral movement path.
Microsegmentation must operate at the interaction level, not just network zones.
Applications & Workloads – the agent is the app (and the user)
Agents are not just applications. They are also users, orchestrators, and decision-makers using other tools and services dynamically.
The attack surface expands to include the entire agent supply chain: models, tools, prompts, and integrations.
Data – the scope doubles
Data protection no longer stops at storage. You must secure data going in (training, RAG), data in use, and data coming out (agent outputs).
Data security becomes end-to-end, not just at-rest or in-transit.
Make Zero Trust Feel Clear, Not Complicated
Step into a world where cybersecurity finally makes sense. Our Dictionary helps you cut through the noise, understand the language, and feel confident in every conversation—no matter your expertise level.
Beyond the Five Pillars
While the CISA model provides a strong foundation, there are additional considerations specific to agentic AI.
Intention
Agents do not have inherent purpose. Their actions must be validated against defined objectives. Deviations may indicate misuse or compromise.
Behavioral analytics
Agents exhibit patterns. Sudden changes in activity, access, or frequency should be treated as potential indicators of compromise.
Traceability
AI systems are non-deterministic. Logging actions and decision paths is essential for both security and troubleshooting.
Human-in-the-loop controls
Autonomy requires boundaries. Kill switches, rate limits, and approval workflows remain necessary for high-impact actions.
Same Strategy, New Game
Zero Trust gives us the Strategy. The principles are proven. The CISA pillars provide a solid, well-recognized structure to organize our thinking. But the game has changed: our “users” are now software, our “devices” are runtime environments, our “applications” are both the agent and the tools it uses, and the attack surface has multiplied. The strategy does not change. The implementation must.
At ON2IT, we believe Zero Trust is the right strategy for the AI era. It always has been.
Organizations that apply Zero Trust to AI agents gain control over the fastest-growing identity class in the enterprise. Those that don’t will discover that autonomous systems with standing privileges create attackers’ dream infrastructure.
FAQ
Agentic AI refers to AI systems that can autonomously perform tasks by interacting with tools, APIs, and data sources. Unlike traditional AI assistants that only generate responses, AI agents can execute actions such as retrieving information, triggering workflows, or making system changes.
Because they operate with permissions inside enterprise environments, they effectively behave as software-based users that must be governed and secured.
AI agents increase the attack surface because they interact with multiple systems and operate with credentials. They may access internal data, call external APIs, or trigger automated workflows. If an attacker manipulates the agent’s inputs, tools, or permissions, the agent may perform unintended actions.
Without strong controls, compromised agents can enable rapid lateral movement or data exposure.
Zero Trust treats AI agents as identities that must continuously verify authorization before accessing systems or data. Instead of granting standing privileges, agents should receive just-in-time access scoped to specific tasks.
Every interaction (whether an API call, data request, or tool invocation) must be authenticated, validated, and monitored to prevent misuse.
Non-human identities are credentials used by software systems rather than people. Examples include service accounts, API keys, machine identities, and AI agents.
As organizations deploy more automation and AI-driven workflows, the number of non-human identities grows rapidly. Managing these identities securely is critical to prevent credential sprawl and unauthorized access.
Protecting AI agents requires several layered controls. Just-in-time credentials reduce the risk of standing privileges. Secure runtime environments ensure agents run on trusted infrastructure. Network segmentation limits lateral movement, while behavioral monitoring detects unusual activity.
Together, these controls apply Zero Trust principles to autonomous systems.
Organizations should log every action an AI agent performs, including tool usage, API calls, and data access. Behavioral monitoring can then detect anomalies, such as unusual request patterns or unexpected data queries. Human-in-the-loop controls and approval gates provide additional safeguards for high-impact actions.
